PAM configuration

[Daniel T. Chen]

On Wed, 27 Dec 2000, Damien Miller wrote:

> To stem the tide of support requests from people who don't read the
> INSTALL file when installing OpenSSH and then complain about password
> auth failing. I am considering the idea of automagically installing a
> PAM file into /etc/pam.d if it exists, PAM support is enabled and no 
> such file already exists.

I think this is a great idea.  I'm attaching an /etc/pam.d/sshd that works
on my SuSE 6.[3,4] and 7.0 machines.

> - Some PAM control files specifiy full paths to the modules, is this 
> necessary?

According to the Linux-PAM system administrators' guide, this is necessary
(check around line 185 of PAM(8) ).  I can't really speak for other
operating systems.

> - I want a "no-frills" control file which will work with the widest 
> range of systems and still be secure. Would something like the following
> work everywhere? I assume pam_unix is pretty standards, but how about 
> pam_cracklib, pam_nologin and pam_limits? 

SuSE 6.[3,4] and 7.0 use "specializations" of pam_unix.so (probably hard
links to one particular pam_unix_[acct,auth,passwd,session], but otherwise
pam_cracklib, pam_nologin, and pam_limits are as defined.  See my attached
/etc/pam.d/sshd.

> [...]

Thx,
dtc
-------------- next part --------------
#%PAM-1.0
auth       required     /lib/security/pam_unix_auth.so shadow nodelay
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_unix_passwd.so shadow md5 use_authtok
session    required     /lib/security/pam_unix_session.so
session    required     /lib/security/pam_limits.so